I have remote systems that only have /home as encrypted partitions, the reason is it ease a lot of remote management without a serial access, it's not ideal if you have critical files but in my use case, it's good enough.
In this blog post, I'll explain how to get the remote system to prompt you the unlocking passphrase automatically when it boots. I'm using OpenBSD in my example, but you can achieve the same with Linux and cryptsetup (LUKS), if you want to push the idea on Linux, you could do this from the initramfs to unlock your root partition.
zenity
on your workstationssh-keygen
/root/.ssh/id_rsa.pub
for the next step (or the public key file if you chose a different key algorithm)~/.ssh/authorized_keys
on your workstationrestrict,command="/usr/local/bin/zenity --forms --text='Unlock t400 /home' --add-password='passphrase' --display=:0" $THE_PUBLIC_KEY_HERE
The new line allows the ssh key to connect to our local user, but it gets restricted to a single command: zenity, which is a GUI dialog program used to generate forms/dialogs in X sessions.
In the example, this creates a simple form in an X window with a label "Unlock t400 /home" and add a field password hiding typed text, and showing it on display :0 (the default one). Upon connection from the remote server, the form is displayed, you can type in and validate, then the content is passed to stdout on the remote server, to the command bioctl which unlocks the disk.
On the server, creates the file /etc/rc.local
with the following content (please adapt to your system):
#!/bin/sh ssh solene@10.42.42.102 | bioctl -s -c C -l 1a52f9ec20246135.k softraid0 if [ $? -eq 0 ] then mount /home fi
In this script, solene@10.42.42.102
is my user@laptop-address, and 1a52f9ec20246135.k
is my encrypted partition. The file /etc/rc.local
is run at boot after most of the services, including networking.
You should get a display like this when the system boots:
=> a GUI window asking for a passphrase to unlock the /home partition of the computer named T400
With this simple setup, I can reboot my remote systems and wait for the passphrase to be asked quite reliably. Because of ssh, I can authenticate which system is asking for a passphrase, and it's sent encrypted over the network.
It's possible to get more in depth in this idea by using a local password database to automatically pick the passphrase, but you lose some kind of manual control, if someone steals a machine you may not want to unlock it after all ;) It would also be possible to prompt a Yes/No dialog before piping the passphrase from your computer, do what feels correct for you.
text/gemini
This content has been proxied by September (ba2dc).